Slashdot Mirror

← Back to Stories (view on slashdot.org)

Relentless Web Attack Hard To Kill

Posted by kdawson on from the stay-dead-willya dept.

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

19 of 218 comments (clear)

  1. Whatever happened by RaceProUK · · Score: 5, Insightful

    to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.

    --
    No colour or religion ever stopped the bullet from a gun
  2. It's the plugins... by sam0737 · · Score: 2, Insightful

    At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.

    Just yet another reason, besides bandwidth, to get Flashblock.

    And install as few as browsers plugins/ActiveX as possible.

  3. This disgusts me by 77Punker · · Score: 3, Insightful

    I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?

    1. Re:This disgusts me by Anonymous Coward · · Score: 1, Insightful

      You might know, but the intern who developped the crappy PHP4 app 8 years ago did not, and it would cost too many man days to fix the code.

    2. Re:This disgusts me by Rycross · · Score: 3, Insightful

      The problem is a frightening amount of training material on the web uses concatenated SQL strings to teach SQL. Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings. Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

    3. Re:This disgusts me by corsec67 · · Score: 3, Insightful

      Throw that in with the fact that roughly half of the programmers reading that are going to be below average

      Um for anything that is approximately normally distributed,... half of the X are going to be below average. (Especially if it is a continuous variable and you use the median)

      --
      If I have nothing to hide, don't search me
    4. Re:This disgusts me by Anonymous Coward · · Score: 1, Insightful

      I say that fully half of programmers will be below median assuming theres an even number of programmers.
      All bets are off if theres an Odd number of programmers.

    5. Re:This disgusts me by Emb3rz · · Score: 4, Insightful

      The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:

      sql = "SELECT * FROM Users WHERE Username = '" & Request.Form("Username") & "' AND Password = '" & Request.Form("Password") & "';"

      This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:

      Username = "Admin"
      Password = "x' OR 'e' = 'e"

      So when the string is being put together, we get:

      SELECT * FROM Users WHERE Username = 'Admin' AND Password = 'x' OR 'e' = 'e';

      Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.

      Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:

      SELECT * FROM Users WHERE Username = "Admin" AND Password = "x' OR 'e' = 'e";

      Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.

    6. Re:This disgusts me by 77Punker · · Score: 3, Insightful

      Kaspersky can't figure it out because a virus scanner can't fix a web application. Fixing SQL injections is beyond their realm.

      Travelocity can't figure it out because their developers must suck. Travelocity is well-known because they have a decent service, not because the software that runs the service is really great software.

    7. Re:This disgusts me by delirium28 · · Score: 2, Insightful

      They're most likely trying to find a solution that doesn't require them to revisit and re-code a large portion of their site. They most likely want a band-aid solution rather than fix the underlying problem.

      --
      Who is John Galt?
    8. Re:This disgusts me by Emb3rz · · Score: 4, Insightful

      You're working off of the false assumption that security is about knowledge.

      We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.

    9. Re:This disgusts me by CodeBuster · · Score: 2, Insightful

      Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

      That is what comes of outsourcing and offshoring especially, but there are still managers out there who refuse to acknowledge what I like to call the Iron Law of Software Development or more generally the Project Triangle (good, fast, cheap...pick two).

  4. Re:Kaspersky by martinw89 · · Score: 3, Insightful

    ...AVG...

    <mechanic>Well there's your problem.</mechanic>

  5. yet another ugly side of DRM by Aoet_325 · · Score: 3, Insightful

    "The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "

    this is why I don't believe in "Tusted" computing.
    When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.

  6. Re:Kaspersky by Arancaytar · · Score: 4, Insightful

    It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

    What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.

  7. Trust by mfh · · Score: 2, Insightful

    Okay keep using Noscript. I don't have a problem with that, but be warned that you are not fully protected by Noscript when the website you TRUST is attacked by an exploit like SQL injection, because YOU TRUST THAT WEBSITE.

    White-lists are better than no-lists, but they aren't perfect.

    --
    The dangers of knowledge trigger emotional distress in human beings.
  8. McColo? by Ungrounded+Lightning · · Score: 2, Insightful

    I wonder how many of the malicious servers the injected SQL dumped the users into were hosted on McColo - and are thus now not available?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  9. Don't rely on FlashBlock for security... by Giorgio+Maone · · Score: 2, Insightful

    FlashBlock is handy, but not a security tool.

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
  10. Re:noscript by daveime · · Score: 2, Insightful

    Yes, we should stick to the old tried and true "overload the server and piss off the user" method of the 1990's.

    Name: Dave
    Country : Thailand
    Telephone : 12345678
    Date of Birth : 29/02/2000
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    Please supply your Firstname AND Surname ...

    Name : Dave Mullen
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    You are from Thailand, where people don't always HAVE surnames - please just supply your Name ...

    Name : Dave
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    Please supply a full telephone number with area code ...

    Telephone : 0066 12345678
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    Country code should start with + ...

    Telephone : +66 12345678
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    Please supply an area code ...

    Telephone : +66 99 12345678
    [SUBMIT]

    Oops' looks like some problems with your submission - please correct the following :-

    February 29th is not a valid date because 2000 is not a leap year.

    BY WHICH TIME, *IF* THE USER IS STILL HERE, YOU HAVE THOROUGHLY PISSED HIM OFF, AND MADE NO LESS THAN 6 SUBMISSIONS TO THE SERVER FOR SOME CRAPPY VALIDATION THAT COULD HAVE ALL BEEN TRAPPED ON THE CLIENT SIDE.

    If that's the web you want, then it's your choice I suppose.